Slashdot Mirror
UK Intel Agency's Missing Laptops Might Contain Sensitive Data
superapecommando writes "GCHQ lost 35 laptops in one year, potentially containing highly sensitive data. The UK's electronic spy centre was today lambasted by MPs for having a 'cavalier' attitude to data security. The centre is responsible for tracking the electronic communications of terrorists. In a new report, the Commons Intelligence and Security Committee expressed concern that GCHQ appeared to be entirely unaware whether or not the computers, lost in 2008, contained top secret information on people posing an imminent security threat to the country."
Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?
The Tao of math: The numbers you can count are not the real numbers.
That's a great idea. You know where London 2600 is held, right? Pretty sensible place to advertise, then - and if the Security Service and Secret Intelligence Service are advertising, why not GCHQ, the great-granddaddy of the father of modern computing and cryptology?
The big challenge is that all the people with the requisite expertise in that particular field either have ethical problems with working for a government that does things that runs contrary to their personal beliefs (restrictions on free speech, mass surveillance and censorship, certain recent unpopular wars, and so on), or they don't really have anything left in the way of ethics at all (in which case, their trustworthiness is very limited, and they may already be working for organised crime or another government).
Many of the older ones have retired from doing that kind of thing and settled down, and the problem with that is that their skill set is unlikely to be current. There are of course timeless techniques, but the field also moves very quickly and rediscovers new things in different ways, so keeping current is important.
Of course, there are always new ones. Fresh talent does emerge and can probably be recruited in larval form, but not all hacking is self-taught, and the difference between a good hacker and a world-class hacker is things picked up from experience and teaching. Mentoring. But part of that is the counter-culture mindset, it's a required part of the critical thinking needed. Some people are needed to teach, and teach very very well. But the problem is that those people do not want to work for the UK government, even in a teaching capacity.
A similar problem emerges when trying to buy a covert remote intelligence tool (CRIT). What to do; license Zeus? Hardly. The Chinese did something similar, and as you no doubt heard it turned out worryingly successful with a simple black market Trojan and some very astute targeting. But you can scarcely expect that to work the same way twice. Something rather more advanced is needed, but those that have developed more advanced tools have essentially told the intelligence agencies to go screw themselves or are otherwise people it would be recommended to avoid dealing with (as above). So a tender was raised at a recent conference and there have been no decent bids (General Electric almost don't count).
Anyway. As for the story, the key word is "might". This audit is ahead of a new system proposed to modernise the key management by introducing ubiquitous security tokens, and full-disk encryption in software (TOP SECRET uses specialist hardware devices rather than hard disks right now). The problem here is a lack of yearly auditing, and unmarked, uncleared notebooks that should not have touched classified information, and probably did not if best practices from the CESG were followed, but conceivably could have done, which is unacceptable and something that needs to be addressed...